Conditional Access for Azure AD ONLY joined devices

Sebastian Cerazy · ‎Nov 14 2022

All my user mobile devices (Windows based) are Azure AD joined (no hybid)

The requirement is to allow access to online resources from these devices ONLY & if external to trusted location then do MFA)

Internally (trusted location) allow access without MFA

There is NO combination of CA conditions that I can get it working this way

There is no option to specify AAD ONLY joined devices

I can NOT just chose in Grant "Require device to be marked as compliant" because some devices will not be compliant (due to how odd Sophos works from time to time, and the compliance is simply not quick enough to report correctly)

In Conditions/Filter for device I can select isCompliant, device Ownership, trustType but the whole process gets thrown out of the window based to Grant

So no matter what I set users still can access services from personal PC, as long as MFA is executed (which is already configured in separate policy anyway)

Seb

ChristianJBergstrom · ‎Nov 14 2022

Try using filters in EndPoint Manager/Intune https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

Sebastian Cerazy · ‎Nov 15 2022

?????

And what would that do to my Conditional Access in Azure?

ChristianJBergstrom · ‎Nov 15 2022

CA checks the compliance policies. Don’t allow personal devices to be compliant.

Sebastian Cerazy · ‎Nov 15 2022

Personal devices (not Azure joined) are NEVER compliant, so that is not an issue!
But as explained, I can NOT chose just the compliance condition (because that does not work 100% every time, for reasons mentioned).

ChristianJBergstrom · ‎Nov 15 2022

Well, if BYOD are never compliant the world would have issues right now. And what's up with the language? This is a community where people help each other.

I haven't heard of your third-party compliance issue before. Perhaps check with Sophos...

If filtering of any kind is not an option perhaps you need to look at Defender for Cloud Apps using an Access policy with a Block action.

Sebastian Cerazy · ‎Nov 15 2022

Never mentioned any BYOD.
I think you are replying whatever comes to mind, without actually reading the original post.

I do not trust the compliance being 100% always every time. So cannot use this as one & only defining condition.
All I need is CA where access from AAD joined machine or do NOT access at all

ChristianJBergstrom · ‎Nov 15 2022

No, I'm not... Forget about the filtering in Intune then and use the filtering in CA but the other way around. Block access and exclude company devices using negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) as positive operators assume the device exists in the directory.

Sebastian Cerazy · ‎Nov 15 2022

Logically that does not convince me. And that is one place where there is no tester available
To me for Block in Grant, in Device filtering this would make more sense:
Include device that "deviceOwnership Not equals Company" & "trustType Not equals Azure AD joined"

ChristianJBergstrom · ‎Nov 15 2022

I am mean you can use multiple expressions. And negative operators for personal devices (devices not in directory). This isn't Microsoft support you know. You should reach out to them instead and complain... Btw, use What if tool and/or report-only to get an idea what will happen.

Sebastian Cerazy · ‎Nov 15 2022

There is no What-if tool in that very section (Filter for devices)
I been through the report-only, but real life just works faster

PhilR2020 · ‎Jul 04 2023

Hi, did you resolve this?

Sebastian Cerazy · ‎Jul 05 2023

Yes, works fine

Paulfi · ‎Dec 06 2023

@Sebastian Cerazy Do you have any SSO enterprise applications? The CA you recommended works great but during the SSO there is NO device information so that login is blocked

Sebastian Cerazy · ‎Dec 07 2023

I sure use SSO (for MS services) and some others. True that some did not work (like Adobe Identity), so these got exempt

Paulfi · ‎Dec 07 2023

Duh. Thank you!!

Paulfi · ‎Dec 07 2023

so that works for that SSO app. Now i am finding that i get NO device info for
Office365 Shell WCSS-Client
Office 365 SharePoint Online

Are the stored windows creds getting passed through like the SSO app i added to the list. I dont want to exclude SPO.

Sebastian Cerazy · ‎Dec 08 2023

For both I get:
Office365 Shell WCSS-Client
Office 365 SharePoint Online

Browser Edge 119.0.0
Operating System Windows10
Compliant Yes
Managed Yes
Join Type Azure AD joined

Maybe users are using Chrome without Microsoft 365 add-on?

Seb

Conditional Access for Azure AD ONLY joined devices

Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Re: Conditional Access for Azure AD ONLY joined devices

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Conditional Access for Azure AD ONLY joined devices